I’m giving a talk at Confidential Computing Summit 2026 in San Francisco on Tuesday. The title is “Trust Is the Next Bottleneck.” This essay is the argument behind the slides.

The short version: we are building an economy of autonomous AI agents on a trust foundation designed for humans clicking buttons. That foundation is cracking. The fix isn’t better software — it’s hardware.

The gap between authorization and execution

OAuth tokens, API keys, and IAM roles answer one question: who authorized this action?

They don’t answer: what code is executing? Or: has this environment been tampered with?

That gap didn’t matter much when the thing holding the token was a human with a browser. Humans are slow, contextual, and accountable in ways that make the gap tolerable. But agents aren’t humans. They’re fast, autonomous, and multiplicative. A single compromised agent credential doesn’t produce one bad action — it produces thousands, across systems, before anyone notices.

SolarWinds taught us this about supply chains. Codecov taught us this about CI pipelines. The 770,000-agent Moltbook breach — where a single database vulnerability simultaneously compromised every agent that held privileged credentials — taught us this about agentic systems.

The pattern is the same every time: controls that attest to who authorized something fail catastrophically the moment the execution environment is compromised. Authorization without execution integrity is a gap, and agents turn that gap into a chasm.

What measurement-rooted identity means

The payments industry solved a structurally identical problem two decades ago.

Magstripe cards stored credentials as static data. Anyone who could read the stripe could clone the card. The industry’s answer wasn’t better encryption of the stripe — it was EMV chips that dynamically generate transaction-specific credentials bound to tamper-resistant hardware.

EMV didn’t eliminate tokens. It made them hardware-bound — dynamically issued, cryptographically tied to a physical device that couldn’t be cloned or skimmed. The credential became inseparable from the hardware producing it.

Agent identity needs the same architectural move. Operational credentials — the tokens agents use to invoke tools, access data, and act on behalf of principals — need to be cryptographically bound to attested code running in a verified environment. The identity should be measurement-rooted: anchored to the specific binary, configuration, and hardware state that produced it.

This isn’t a novel insight. It’s a pattern the industry keeps rediscovering every time something autonomous touches something valuable.

MCP: flexibility bought at the cost of security

The Model Context Protocol is becoming the de facto standard for how AI agents invoke tools. Its design is pragmatic — optimize for adoption, make everything optional, let deployers choose their security posture.

That pragmatism has a cost. MCP’s protocol spec treats strong authentication and remote attestation as optional extensions rather than mandatory handshake elements. Every high-assurance deployment must independently implement what the protocol could enforce by default.

The consequences arrived in April 2026 when OX Security disclosed critical vulnerabilities across major MCP implementations — 150 million downloads affected, 9 of 11 registries poisoned with malicious packages, 7,000 publicly accessible MCP servers. The root cause in every case: unauthenticated, unattested execution of tool invocations.

Anthropic’s stated position is that such mitigations belong outside the protocol’s scope. That’s technically defensible — TLS doesn’t mandate certificate pinning either — but in practice it means every organization deploying MCP in high-risk environments is rebuilding the trust layer from scratch.

In environments where hardware roots of trust and mature attestation frameworks already exist, this optionality is a material risk multiplier.

Confidential computing as the trust layer

Confidential computing delivers both privacy and foundational trust properties. But for agentic workloads, its most critical contribution is enabling attested identity at cloud scale.

TEEs — Trusted Execution Environments — are today’s most mature and widely deployed commercial primitive for:

  1. Cryptographically verified code integrity at runtime. The platform measures the loaded binary and configuration before execution begins.
  2. Credential sealing to measured environments. Secrets and signing keys can be released only to code that matches expected measurements.
  3. Tamper-evident audit trails. Attestation reports are hardware-signed — the operator cannot forge them without physically compromising the processor.

Are TEEs perfect? No. Side-channel attacks are real. Performance overhead exists. Vendor dependencies create concentration risk. But achieving equivalent assurance through alternative means — TPMs, HSMs, formal verification, zkVMs — at cloud-native scale and operational velocity remains significantly harder.

The right mental model: TEEs as a vital foundation within defense-in-depth. Not a silver bullet. Not optional either.

The regulatory clock

EU AI Act high-risk requirements take effect August 2, 2026 — six weeks after this talk. NIST’s AI Agent Standards Initiative launched in February 2026, explicitly seeking input on secure deployment of autonomous AI systems. The CCC submitted formal responses to both NIST and UK DSIT arguing confidential computing is the required trust infrastructure for agentic AI.

These frameworks are technology-neutral by design. None of them say “you must use TEEs.” But they increasingly demand verifiable technical assurances: tamper-evident logging, supply chain integrity, runtime auditability, and demonstrable risk management for autonomous systems.

Hardware-rooted attestation provides levels of verifiability that software-only controls struggle to match in adversarial cloud environments. Organizations treating compliance as a software checkbox risk expensive retrofits once audit expectations crystallize around what “technically sound” actually means in practice.

Composition, not competition

Application-layer agent identity solutions — from Okta, Cequence, ServiceNow, and others — deliver critical capabilities in policy enforcement, behavioral governance, and anomaly detection. This isn’t a “those vendors are wrong” argument.

But they operate above the execution boundary. They cannot independently provide cryptographic assurance that the agent they’re governing is actually running the expected code in an untampered environment. A sophisticated attacker who compromises the runtime can make application-layer controls see whatever the attacker wants them to see.

The most resilient architectures compose both layers: hardware-rooted attestation as the foundation for code integrity, with continuous application-layer policy enforcement on top. The attestation binding is what makes the upper layers verifiable rather than merely aspirational.

What remains unsolved

The individual primitives exist. TEEs, SPIFFE, remote attestation, FIDO — all deployed at scale, proven in production. Hyperscalers have assembled significant portions of this stack for workload confidentiality and integrity.

What remains unsolved is the semantic and cross-domain layer: binding hardware attestation to actionable claims about agent intent, delegated authority, and tool use across heterogeneous environments.

Current integrations attest to containers and workloads — not to the specific actions, policies, or outcomes of autonomous agents operating on behalf of principals. Bridging this gap — attested delegation, cross-cloud agent trust, and verifiable accountability at economy scale — is the architectural challenge ahead.

It’s also the most important systems problem in AI security today. And it’s solvable. The builders working on it know who they are.

Interactive walkthrough

I built an interactive explainer that walks through the full agent lifecycle — from launch to audit — showing where attestation binds at each step. It’s a companion to the talk, not a replacement for it.

Open the interactive walkthrough →

I’m speaking at Confidential Computing Summit 2026 on June 23 in San Francisco. If you’re working on agent identity, attestation infrastructure, or the trust layer for agentic systems — come say hi.